email-importance-content-analysis

# Email Importance Content Analysis Use a **subject/title-first** triage, then perform **technical verification** (headers/links/attachments) only when warranted, and only then validate with **content analysis**. Treat **sender display name, badges, labels, and “From” appearance as untrusted**. ## Workflow (title → technical → content) ### 1) Title/subject + sender triage (cheap first-pass) Use only: **subject line + sender (display name + email address/domain as shown)**. Do not click anything. Important: treat sender as **weak signal** (can be spoofed). Use it for triage only. #### 1A) Fast-drop rules (save time) If the sender looks **obviously sloppy/spoofed** AND the email is not expected, classify as **Likely scam/ads** and stop (do not spend time on technical verification). Examples of fast-drop signals: - Display name claims a bank/government/major brand but the address is from a **free mailbox** (gmail/outlook/163/qq) or unrelated domain - Lookalike domains / typo-squatting: `paypaI` (I/l), `micros0ft` (0/O), extra `-secure`/`-verify`, weird punctuation - Suspicious TLDs or brand stuffed into subdomain: `brand.security-check.example.com` - Very unprofessional local-part patterns (random digits/strings) while claiming official identity - Pure promo patterns (promo/marketing/news) + obvious sales subject ⇒ treat as ads #### 1B) Escalate rules (to technical verification) Escalate for technical verification if **subject OR sender** implies any of: - **Money/settlement**: 扣款/圈存/付款/退款/發票/帳單/對帳單/繳費 - **Account/security**: 登入/驗證/密碼重設/異常登入/停權/封鎖/安全警告 - **Delivery/download**: 文件下載/取件號碼/包裹/物流失敗 - **Urgency/threat**: 最後通知/24小時內/立即/否則將… - **Execution**: 附件/請下載/請開啟/啟用巨集 If the subject is clearly marketing/newsletter and no action is implied ⇒ usually **stop here** (Low). If it triggers the fast-drop rules, you may label it as: - **Importance**: Low - **Risk**: Medium–High (spoof attempt) - **Next step**: Do not click; optionally mark as spam/block ### 2) Technical verification (only for emails that passed title triage) Prefer evaluating **raw email headers** / “Show original” output (or via gog `gmail get`). Check: - **Authentication-Results**: SPF / DKIM / DMARC results (`pass|fail|neutral`) and note which domain they authenticate - **Alignment**: whether DKIM d= domain / SPF MAIL FROM / DMARC aligns with the visible From domain - **From vs Reply-To** mismatch - **Links and attachments**: - Expand the real target domain (hover/copy link) — don’t trust anchor text - Note risky attachments (e.g., .zip, .iso, .js, .vbs, .docm, password-protected archives) If headers are **not available**, mark Technical verdict = **Unknown** and increase caution. ### 3) Extract the actionable claims (facts only) — only if technical verification passes From the email body, list: - What happened / what they claim happened - What they want the recipient to do (and by when) - What account/system/money is involved - What evidence they provide (order id, invoice id, ticket id, last-4 digits, timestamps) ### 4) Classify the required action (drives importance) Rank higher if it requires any of: - **Account access / authentication**: login, password reset, 2FA codes, device approval - **Money movement**: payment, wire, subscription renewal, invoice settlement, refunds - **Permissions / security posture**: granting access, changing roles, API keys, OAuth consent - **Software execution**: download/open an attachment, run a file, enable macros - **Data disclosure**: personal/company info, documents, ID numbers ### 5) Content risk patterns (red flags) Increase risk if the content shows: - **Urgency / threat**: “within 24h”, “account will be closed”, “legal action”, “final notice” - **Secrecy / bypass**: “don’t tell others”, “use personal email”, “avoid normal process” - **Mismatch / vagueness**: generic greeting, unclear context, missing specifics the real sender would know - **Odd requests**: asking for OTP, gift cards, crypto, remote access, or direct bank changes - **Link/attachment pressure**: “click to verify”, “download to view”, “enable macros” ### 6) Choose safe verification (do not trust the email path) Even if SPF/DKIM/DMARC pass, for sensitive actions recommend **out-of-band verification**: - Navigate via **known official entry points** (typed URL, app, bookmark), not email links - If it claims an account issue: check account status by logging in from official site/app - If it’s a vendor/payment issue: verify using the invoice/order id inside the official portal - If it’s workplace related: verify via internal chat/phone using known contacts ### 7) Output: priority + next action Always provide: - **Title triage verdict**: Escalate / Ignore - **Technical verdict**: Pass / Fail / Unknown - **Importance level**: Critical / High / Medium / Low - **Risk level**: High (likely phishing) / Medium / Low - **Recommended next step**: what to do *now*, what *not* to do, and how to verify ## Decision Heuristics (quick) - **Technical FAIL** (SPF/DKIM/DMARC fail or obvious mismatch) + any call-to-action ⇒ **Risk: High** (treat as phishing) regardless of “importance”. - **Critical**: money/credentials/permissions + urgency OR any request for OTP/macro/remote access. - **High**: requires action soon, could cause loss of access/service interruption, but can be verified safely via official channels. - **Medium**: informational but relevant; no immediate sensitive action. - **Low**: newsletters, marketing, generic updates with no action. ## Response Template (use in replies) - Title triage (why it escalates / why it can be ignored): - Technical verification (SPF/DKIM/DMARC + alignment + From/Reply-To + link/attachment notes): - Summary (1–2 lines): - What it’s asking you to do: - Why it may matter (impact if ignored): - Red flags (if any): - Safe verification path: - Recommendation (do / don’t):